Solved

User's My Documents folder Redirection and Administrator Access

Posted on 2009-03-31
8
603 Views
Last Modified: 2012-05-06
I need to move our user folders in a Win2k3 domain over to a new file server.  It looks as if the GPO to setup folder redirection at one point must have had the Grant user exclusive rights option either enabled or not configured, as I am runing into hundreds of folders that I cannot access as the users are the only ones that have access to them.  The GPO is not set that way now, but the folder permissions apparently do not get updated.  I can go in individually to these folders, take ownership, and then reset the permissions to gain access to them.  Does anyone know of a scripted way, or something, to do this across the board, without messing up the permissions as they are now??
0
Comment
Question by:jvincent9
  • 4
  • 4
8 Comments
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
You can change the owner for the top level folder (i.e. the shared folder), and check 'Replace owner on subcontainers and objects'. This will make you then owner of all sub-objects.
Once you have given yourself ownership, you can then grant yourself the required permissions to the top folder, also checking the 'Replace permissions entries on all child objects...' checkbox.
You'll then have permissions to move/edit all the sub folders of the main shared folder. Failing this you could script it, but this should work I think.
0
 

Author Comment

by:jvincent9
Comment Utility
I have looked into that route...  From what I have seen doing a folder at a time thus far, when I take ownership of the top level folder (the users folder in this case, to get ownership of their My Documents subfolder), it wants to grant the owner exlusive rights to the My Documents folder because I currently don't have access to it...  This will blow the users permissions away, and then I need to go back up to the level of the user's folder, and re-apply the permissions down so they get access back to their My Documents folder...  Is that making sense?
0
 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
Changing yourself to the owner won't affect the user's permissions - this just allows you to then edit the permissions. You can then add yourself in to the ACL with the required permissions, still leaving the user's permissions intact.
If you do this on the root folder (the one that is shared - you'll need to log on the server to do this locally or via RDP), change owner/apply the permissions to all sub-objects as described above - you should be in business.
0
 

Author Comment

by:jvincent9
Comment Utility
here is what I mean...  Admin group is already the owner of each user folder.  We have a My Documents folder under each of those that is the redirected user folder that we don't have permissions to...  See screenshot attachment.  When trying to filter the ownership down to the subfolders, I am presented with this.  If I say Yes, it replaces all permissions, and just adds the admin group with full control, removing the user's permissions.  I can then go back up to the user root folder, and push the permissions back down, and that is OK...  But I'm dealing with possibly a few thousand user folders that are affected this way...
owner.jpg
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 27

Expert Comment

by:bluntTony
Comment Utility
OK, how about running a backup job to make a copy of the folders. Schedule an NTBackup job to back the folders up using the context of a user you have placed in the 'Backup Operators' local group on the file server.
You can then restore to the new server - worth testing on a handful first.
Either that, or you could apply the permissions under the SYSTEM context, scripting the use of cacls during a startup script would do it, be this seems a bit convoluted. I'd try the backup.
0
 

Author Comment

by:jvincent9
Comment Utility
any idea on how to run a script under the system context?  I might actually give that a try first based on the amount of data that I would need to restore from a backup...  I already have some cacls.exe scripts that I could tweak if I could just run them as a user that can modify the folder/file ACLs.
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 500 total points
Comment Utility
You can open a cmd window in the SYSTEM context using the following method. It's not the best but it works. You have to run this locally on the machine, not from an RDP session as the cmd window will only open on the console session:
From the command prompt, type:
sc create testsvc binpath= "cmd /K start" type= own type= interact
..this creates a service called 'testsvc' which opens the command prompt in the SYSTEM context. To start the service:
sc start testsvc
...you'll get an error message saying that the service failed to start in a timely fashion, but a cmd window will pop up. A quick check in Task manager will show the process as running under the SYSTEM context. You can then launch this service each time you need to do this.
Try and runn cacls in this cmd window...
0
 

Author Closing Comment

by:jvincent9
Comment Utility
Coolest solution ever!  Thanks bluntTony!  Within the cmd running as System I am able to inject the administrators group to the ACL of all user folders now.  Awesome solution!!!  Thanks again!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now